Hi,

the attached patch fixes <https://fedorahosted.org/freeipa/ticket/4166>.

Honza

--
Jan Cholasta
>From cdf6dcd447b762c47bf1f46a53a0127e265e6983 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 3 Sep 2014 15:04:35 +0200
Subject: [PATCH] Backup CS.cfg before modifying it

https://fedorahosted.org/freeipa/ticket/4166
---
 install/tools/ipa-upgradeconfig |  1 +
 ipaserver/install/cainstance.py | 21 +++++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 9c9de03..c0cd0e8 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1085,6 +1085,7 @@ def main():
         sub_dict['SUBJECT_BASE'] = subject_base
 
     ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
+    ca.backup_config()
 
     # migrate CRL publish dir before the location in ipa.conf is updated
     ca_restart = migrate_crl_publish_dir(ca)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index e8bb7d7..8f7fdd5 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -404,6 +404,7 @@ class CAInstance(DogtagInstance):
                 self.step("creating pki-ca instance", self.create_instance)
             self.step("configuring certificate server instance", self.__configure_instance)
         self.step("stopping certificate server instance to update CS.cfg", self.stop_instance)
+        self.step("backing up CS.cfg", self.backup_config)
         self.step("disabling nonces", self.__disable_nonce)
         self.step("set up CRL publishing", self.__enable_crl_publish)
         self.step("enable PKIX certificate path discovery and validation", self.enable_pkix)
@@ -723,6 +724,12 @@ class CAInstance(DogtagInstance):
 
         self.log.debug("completed creating ca instance")
 
+    def backup_config(self):
+        try:
+            backup_config(self.dogtag_constants)
+        except Exception, e:
+            root_logger.warning("Failed to backup CS.cfg: %s", e)
+
     def __disable_nonce(self):
         # Turn off Nonces
         update_result = installutils.update_file(
@@ -1577,6 +1584,11 @@ class CAInstance(DogtagInstance):
                       'subsystemCert cert-pki-ca': 'ca.subsystem.cert',
                       'Server-Cert cert-pki-ca': 'ca.sslserver.cert'}
 
+        try:
+            backup_config(dogtag_constants)
+        except Exception, e:
+            syslog.syslog(syslog.LOG_ERR, "Failed to backup CS.cfg: %s" % e)
+
         DogtagInstance.update_cert_cs_cfg(
             nickname, cert, directives,
             dogtag.configured_constants().CS_CFG_PATH,
@@ -1705,6 +1717,15 @@ def install_replica_ca(config, postinstall=False):
 
     return ca
 
+def backup_config(dogtag_constants=None):
+    """
+    Create a backup copy of CS.cfg
+    """
+    if dogtag_constants is None:
+        dogtag_constants = dogtag.configured_constants()
+
+    shutil.copy(dogtag_constants.CS_CFG_PATH,
+                dogtag_constants.CS_CFG_PATH + '.ipabkp')
 
 def update_people_entry(dercert):
     """
-- 
1.9.3

>From 3abeba94882e2e62f190fd0441be9bdfc0ce84ec Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 3 Sep 2014 15:04:35 +0200
Subject: [PATCH] Backup CS.cfg before modifying it

https://fedorahosted.org/freeipa/ticket/4166
---
 install/tools/ipa-upgradeconfig |  1 +
 ipaserver/install/cainstance.py | 21 +++++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 54193e9..5e74b39 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1079,6 +1079,7 @@ def main():
         sub_dict['SUBJECT_BASE'] = subject_base
 
     ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
+    ca.backup_config()
 
     # migrate CRL publish dir before the location in ipa.conf is updated
     ca_restart = migrate_crl_publish_dir(ca)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 531b930..c39ab85 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -449,6 +449,7 @@ class CAInstance(service.Service):
                 self.step("creating pki-ca instance", self.create_instance)
             self.step("configuring certificate server instance", self.__configure_instance)
         self.step("stopping certificate server instance to update CS.cfg", self.__stop)
+        self.step("backing up CS.cfg", self.backup_config)
         self.step("disabling nonces", self.__disable_nonce)
         self.step("set up CRL publishing", self.__enable_crl_publish)
         self.step("starting certificate server instance", self.__start)
@@ -801,6 +802,12 @@ class CAInstance(service.Service):
             root_logger.debug(traceback.format_exc())
             root_logger.critical("Failed to restart the certificate server. See the installation log for details.")
 
+    def backup_config(self):
+        try:
+            backup_config(self.dogtag_constants)
+        except Exception, e:
+            root_logger.warning("Failed to backup CS.cfg: %s", e)
+
     def __disable_nonce(self):
         # Turn off Nonces
         update_result = installutils.update_file(
@@ -1793,6 +1800,16 @@ def install_replica_ca(config, postinstall=False):
 
     return ca
 
+def backup_config(dogtag_constants=None):
+    """
+    Create a backup copy of CS.cfg
+    """
+    if dogtag_constants is None:
+        dogtag_constants = dogtag.configured_constants()
+
+    shutil.copy(dogtag_constants.CS_CFG_PATH,
+                dogtag_constants.CS_CFG_PATH + '.ipabkp')
+
 def update_cert_config(nickname, cert, dogtag_constants=None):
     """
     When renewing a CA subsystem certificate the configuration file
@@ -1814,6 +1831,10 @@ def update_cert_config(nickname, cert, dogtag_constants=None):
 
     with stopped_service(dogtag_constants.SERVICE_NAME,
                          instance_name=dogtag_constants.PKI_INSTANCE_NAME):
+        try:
+            backup_config(dogtag_constants)
+        except Exception, e:
+            syslog.syslog(syslog.LOG_ERR, "Failed to backup CS.cfg: %s" % e)
 
         installutils.set_directive(dogtag.configured_constants().CS_CFG_PATH,
                                     directives[nickname],
-- 
1.9.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to